Broad and Narrow Views of “Exceeds Authorized Access”
There has been a divergence among circuits regarding the meaning and scope of “exceeds authorized access,” making the issue ripe for Supreme Court review. On one side, the First, Fifth, Seventh, and Eleventh Circuits have taken what is considered the broad view, which holds that an individual who uses access to which he or she is allowed for a prohibited purpose, such as the misappropriation of the obtained information, is liable under the CFAA. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); see also United States v. Cave, 2013 U.S. Dist. LEXIS 99149 (D. Neb. July 16, 2013).
The reasoning employed by these circuits is exemplified in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), in which a former Social Security Administration employee accessed sensitive personal information for nonbusiness purposes, in violation of the administration’s computer-use policy prohibiting an employee from obtaining information from the administration’s database without a business purpose. The defendant accessed records of 17 people, including his ex-wife, ex-girlfriend, and several other women, for his personal use. The court held that while the employee was allowed to access the database, he exceeded authorized access within the meaning of the CFAA, because of his nonbusiness use of the information. Thus, according to the broad view of the CFAA, an employee’s legitimate computer access can “exceed authorized access” when the employee contravenes his or her employer’s policies, irrespective of whether he or she used the information for a criminal purpose.
Conversely, the Fourth and Ninth Circuits have taken a more limited view of the CFAA. WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); LRVC Holdings LLC v. Brekka, 58 1 F.3d 1127 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854 (9th Cir. 2011). In the civil context, some district courts have also followed this narrow view in recent cases. See, e.g., Power Equip. Maint., Inc. v. Airco Power Servs., 2013 U.S. Dist. LEXIS 91484 (S.D.Ga. June 28, 2013). In United States v. Nosal, 676 F.3d 854 (9th Cir. 2011), an individual who sought to start a competing business obtained proprietary information from his former employer’s database with help from former colleagues. Although the employees’ access to the information was authorized, the company had a policy that forbade dissemination of the information. The court held that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions,” and affirmed the dismissal of those counts of the indictment. The court reasoned that the CFAA is not an expansive misappropriation statute prohibiting unauthorized use of information to which an individual had authorized access, but instead is designed to prohibit unauthorized access to computers (i.e., hacking). Thus, according to the narrow view, employees who have authority to access information, but then later misappropriate it, are not within the scope of the CFAA.
Defending Criminal Charges under the “Exceeds Authorized Access” Prong
The broad view of the “exceeds authorized access” prong of the CFAA gives the statute much broader applicability than possibly intended by Congress and could lead to discriminatory or arbitrary application. The Ninth Circuit’s opinion in Nosal sets forth a strong argument that should be invoked by those defending clients from CFAA charges, in arguing that the CFAA does not apply to instances where an individual had authorization to access information via computer but then used the information for a personal or inappropriate use.
The broad interpretation of the CFAA could criminalize all sorts of minute, insignificant behavior that takes place in workplaces daily. Any violation of private computer-use policies, such as checking personal emails or Twitter, could constitute behavior that “exceeds authorized access” and could, when applying the broad view of “exceeds authorized access,” subject employees to criminal liability. As cited by the court in Nosal: "When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite." 676 F.3d at 863 (internal quotation marks and citation omitted). The rule of lenity “not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize.” Thus, in instances where a defendant is charged with violating the CFAA by virtue of exceeding his or her “authorized access,” counsel should move to dismiss those charges, citing Nosal and the rule of lenity.
Similar Statutes Addressing Computer Crimes to Be Aware Of
Removing the CFAA from the prosecutor’s arsenal would not impair the government’s ability to prosecute crimes involving computers. Other criminal statutes would still likely apply to the same conduct. For example, the federal trade-secrets statute, 18 U.S.C. § 1832, specifically targets those who knowingly and without authorization obtain, transmit, or buy information used in interstate commerce for the economic benefit of anyone besides the owner. In situations where an employee accessed his or her employer’s computers and obtained confidential information for potentially competitive use, the trade-secrets statute is a more appropriate method in which to charge defendants than the CFAA. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 202 (4th Cir. 2012). Indeed, the defendant in Nosal was also charged with theft of trade secrets and mail fraud. Also, in United States v. Zhang, 2012 U.S. Dist. LEXIS 74254 (N.D. Cal. May 29, 2012), the defendant was charged with violating the CFAA and multiple trade-secret-theft counts. There, the defendant downloaded company information to which he had access just before he left that company to start a new job. After a bench trial, the court, citing Nosal, ruled that the defendant was not guilty of violating the CFAA. However, he was found guilty of a number of the trade-secret charges and ultimately received a sentence of imprisonment for three months followed by three years of supervised release.
In addition, there are also a number of civil actions that aggrieved employers can take advantage of, rather than seeking remedies under the CFAA. Breach of contract, breach of fiduciary duty, conversion, tortious interference with an economic advantage, unfair competition, or misappropriation of trade secrets are all theories that are a better fit to remedy protected computer misuse than the CFAA.
The CFAA is a wieldy tool for employers unhappy with their former employees’ conduct and, thus, has become increasingly used in the civil context. Because of the CFAA’s criminal implications, its applications in instances where an individual “exceeds authorized access” should be viewed and considered carefully so as not to criminalize all or nearly all computer activity by an employee that contravenes the employer’s computer-use policy. The current circuit split makes this issue ripe for review by the Supreme Court. Until that time, however, when defending charges under the CFAA’s “exceeding authorized access” prong, counsel should mirror the Nosal court’s narrow view and reasoning, contest the CFAA’s applicability, and look to apply the rule of lenity.
Keywords: criminal litigation, Computer Fraud and Abuse Act, 18 U.S.C. § 1030, CFAA, computer crime, exceeds authorized access
Aaron M. Danzig is a partner at Arnall Golden Gregory LLP in Atlanta, Georgia. Matthew A. S. Esworthy is a partner at Shapiro, Sher, Guinot & Sandler in Baltimore, Maryland.